In In S_scan_heredoc(), avoid memNE() reading beyond the end of s.

If the heredoc terminator we are searching for is longer than the bytes
remaining in s, then the memNE() would read beyond initialised memory.
Hence change the loop bounds to avoid this case, and change the failure case
below to reflect the revised end-of-loop condition.

It doesn't matter that the loop no longer increments shared->herelines,
because the failure case calls S_missingterm(), which croaks.

diff --git a/toke.c b/toke.c
index e6e59a3..35cd364 100644 (file)
--- a/toke.c
+++ b/toke.c
@@ -9959,12 +9959,12 @@ S_scan_heredoc(pTHX_ char *s)
        linestr = shared->ls_linestr;
        bufend = SvEND(linestr);
        d = s;
-       while (s < bufend &&
+       while (s < bufend - len + 1 &&
           memNE(s,PL_tokenbuf,len) ) {
            if (*s++ == '\n')
                ++shared->herelines;
        }
-       if (s >= bufend) {
+       if (s >= bufend - len + 1) {
            goto interminable;
        }
        sv_setpvn(tmpstr,d+1,s-d);